From 0968e7169415381926782c22372f0d060336778c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Love=20H=C3=B6rnquist=20=C3=85strand?= <lha@kth.se>
Date: Mon, 10 Mar 2008 15:00:05 +0000
Subject: [PATCH] Try searchin the key by to use by first looking for for
 PK-INIT EKU, then the Microsoft smart card EKU and last, no special EKU at
 all.

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@22673 ec53bebd-3082-4978-b11e-865c3cabbd6b
---
 lib/krb5/pkinit.c | 82 ++++++++++++++++++++++++++++++++++-------------
 1 file changed, 60 insertions(+), 22 deletions(-)

diff --git a/lib/krb5/pkinit.c b/lib/krb5/pkinit.c
index 1c8621fd4..c5fe2287d 100644
--- a/lib/krb5/pkinit.c
+++ b/lib/krb5/pkinit.c
@@ -139,17 +139,59 @@ integer_to_BN(krb5_context context, const char *field, const heim_integer *f)
     return bn;
 }
 
+struct certfind {
+    const char *type;
+    const heim_oid *oid;
+};
+
+/*
+ * Try searchin the key by to use by first looking for for PK-INIT
+ * EKU, then the Microsoft smart card EKU and last, no special EKU at all.
+ */
 
 static krb5_error_code
-_krb5_pk_create_sign(krb5_context context,
-		     const heim_oid *eContentType,
-		     krb5_data *eContent,
-		     struct krb5_pk_identity *id,
-		     hx509_peer_info peer,
-		     krb5_data *sd_data)
+find_cert(krb5_context context, struct krb5_pk_identity *id, 
+	  hx509_query *q, hx509_cert *cert)
 {
-    hx509_cert cert;
-    hx509_query *q;
+    struct certfind cf[3] = { 
+	{ "PKINIT EKU" },
+	{ "MS EKU" },
+	{ "no" }
+    };
+    int i, ret;
+
+    cf[0].oid = oid_id_pkekuoid();
+    cf[1].oid = oid_id_pkinit_ms_eku();
+    cf[2].oid = NULL;
+
+    for (i = 0; i < sizeof(cf)/sizeof(cf[0]); i++) {
+	ret = hx509_query_match_eku(q, cf[i].oid);
+	if (ret) {
+	    _krb5_pk_copy_error(context, id->hx509ctx, ret, 
+				"Failed setting %s OID", cf[i].type);
+	    return ret;
+	}
+
+	ret = hx509_certs_find(id->hx509ctx, id->certs, q, cert);
+	if (ret == 0)
+	    break;
+	_krb5_pk_copy_error(context, id->hx509ctx, ret, 
+			    "Failed cert for finding %s OID", cf[i].type);
+    }
+    return ret;
+}
+
+
+static krb5_error_code
+create_signature(krb5_context context,
+		 const heim_oid *eContentType,
+		 krb5_data *eContent,
+		 struct krb5_pk_identity *id,
+		 hx509_peer_info peer,
+		 krb5_data *sd_data)
+{
+    hx509_cert cert = NULL;
+    hx509_query *q = NULL;
     int ret;
 
     ret = hx509_query_alloc(id->hx509ctx, &q);
@@ -162,13 +204,10 @@ _krb5_pk_create_sign(krb5_context context,
     hx509_query_match_option(q, HX509_QUERY_OPTION_PRIVATE_KEY);
     hx509_query_match_option(q, HX509_QUERY_OPTION_KU_DIGITALSIGNATURE);
 
-    ret = hx509_certs_find(id->hx509ctx, id->certs, q, &cert);
+    ret = find_cert(context, id, q, &cert);
     hx509_query_free(id->hx509ctx, q);
-    if (ret) {
-	_krb5_pk_copy_error(context, id->hx509ctx, ret, 
-			    "Find certificate to signed CMS data");
+    if (ret)
 	return ret;
-    }
 
     ret = hx509_cms_create_signed_1(id->hx509ctx,
 				    0,
@@ -181,11 +220,14 @@ _krb5_pk_create_sign(krb5_context context,
 				    NULL,
 				    id->certs,
 				    sd_data);
-    if (ret)
-	_krb5_pk_copy_error(context, id->hx509ctx, ret, "create CMS signedData");
     hx509_cert_free(cert);
+    if (ret) {
+	_krb5_pk_copy_error(context, id->hx509ctx, ret,
+			    "Create CMS signedData");
+	return ret;
+    }
 
-    return ret;
+    return 0;
 }
 
 static int
@@ -543,12 +585,8 @@ pk_mk_padata(krb5_context context,
     } else
 	krb5_abortx(context, "internal pkinit error");
 
-    ret = _krb5_pk_create_sign(context,
-			       oid,
-			       &buf,
-			       ctx->id,
-			       ctx->peer,
-			       &sd_buf);
+    ret = create_signature(context, oid, &buf, ctx->id,
+			   ctx->peer, &sd_buf);
     krb5_data_free(&buf);
     if (ret)
 	goto out;